An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly.
This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API and exists only when a client includes a duplicate API parameter in API requests.
Logged information includes the cleartext username, password, and API key of the administrator making the PAN-OS XML API request.
|PAN-OS 10.0||< 10.0.1||>= 10.0.1|
|PAN-OS 9.1||< 9.1.6||>= 9.1.6|
|PAN-OS 9.0||< 9.0.12||>= 9.0.12|
|PAN-OS 8.1||< 8.1.19||>= 8.1.19|
This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API.
CVSSv3.1 Base Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.12, PAN-OS 9.1.6, PAN-OS 10.0.1, and all later PAN-OS versions.
After you upgrade the PAN-OS appliance, you must change the passwords and generate a new API key for all impacted PAN-OS administrators.
You must change the passwords and generate a new API key for all impacted PAN-OS administrators. Confirm that there aren’t any PAN-OS XML API requests that repeat API parameters in the request.